[refpolicy] systemd policy
russell at coker.com.au
Mon Jan 13 07:52:56 EST 2014
On Sun, 12 Jan 2014 13:18:41 Laurent Bigonville wrote:
> Daniel do you know when this will happen? Can I already propose some of
> these patches?
One thing that would be good to propose first is the labelling of unit files.
Currently in Debian policy we have lots of patches to daemon policy like the
following. If we can agree that each daemon should have it's own unit file
type (which appears to me to have no benefit unless we make a significant
addition to the daemon management functionality) then we can add the patch as-
is. If we are going to add it as-is then the sooner the better, as a patch
that affects lots of files is annoying to maintain.
It seems to me that the only benefit of per-daemon types is that we can write
policy allowing one user access to manage daemons with several types.
The other possible way of allowing per-user management of daemons managed by
the type of the unit file would be to have a default type for the unit files
(which is easier for .fc files and no change to most daemon policy). Then
whenever we need to delegate some sysadmin rights to a daemon we create a new
type as appropriate and a fcontext rule to label the unit file.
Regardless of when we merge the patches it would be good to get this design
issue sorted out soon.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the refpolicy